Simplify NSGs applied to workspace VNets by removing peer from virtual network tag

[marrobi]

At present the workspace to core vnet peer and core to workspace net peer has this setting set to Allow:

This makes the core VNet part of the VirtualNetwork tag used by network security groups. This means within NSGs we need to keep track of workspace address spaces, and if the VirtualNetwork is used inadvertently it also allows access to the core network.

As we have explicit allow and deny rules on the NSGs changing this setting to Block all traffic to the remote virtual network should have no adverse affect. However this should be verified.

Once disabled NSG configurations can revert to using the VirtualNetwork tag which leads to easier to read definitions and simplifies Terraform.

[marrobi]

Could not get this to work and allow traffic to be routed to the internet when set to Block, even when I allowed all traffic on the workspace VNet NSG. The Core VNet firewall subnet has no NSG attached.

Need somebody to verify that is is possible.

@SvenAelterman if have any further thoughts be grateful of any input.

[marrobi]

Might be https://learn.microsoft.com/en-us/azure/virtual-network-manager/create-virtual-network-manager-portal?tabs=manualmembership would simplify this configuration.